The June 2018 Security Update Review

June is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for June.

Adobe Patches for June 2018

Adobe actually started their monthly patch cycle last week with an emergency patch for Flash to combat active attacks. According to some public reports, the CVE being exploited is primarily targeting the Middle East region and is wrapped in an Office document. The patch also contained three other CVEs, all of which were reported through the ZDI program. Adobe plans on ending support for Flash in 2020. For some, that date can’t get here fast enough.

As of publication, Adobe has released no other patches for June. We'll update should anything significant be released later.

Microsoft Patches for June 2018

Microsoft released 50 security patches for June covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V Server, Windows, and Microsoft Office and Office Services. Of these 50 CVEs, 11 are listed as Critical and 39 are rated Important in severity. Five of these CVEs came through the ZDI program. Only one of these bugs is listed as being publicly known at the time of release, and none are listed as under active attack.

Let’s take a closer look at some of the more interesting patches for this month:

- CVE-2018-8225 – Windows DNSAPI Remote Code Execution Vulnerability This bug clearly wins for most critical this month. This vulnerability could allow an attacker to execute code at the local system level if they can get a crafted response to the target server. There are a couple of ways this could happen. The attacker could attempt to man-in-the-middle a legitimate query. The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response – something that can be done from the command line. It’s also something that could be easily scripted. This means there’s a SYSTEM-level bug in a listening service on critical infrastructure servers, which also means this is wormable. “Patch Now” doesn’t even seem forceful enough. I have the sense we’ll be hearing about this bug for a while.

- CVE-2018-8231 – HTTP Protocol Stack Remote Code Execution VulnerabilityThis patch covers another serious bug in a web-facing service. This time, the web server component http.sys is affected. A remote attacker could cause code execution by sending a malformed packet to a target server. Since http.sys runs with elevated privileges, the attacker’s code would get that same privilege. The patch notes that, “in most situations, an unauthenticated attacker” could do this. It’s unclear what those other situations may be, but that puts this bug pretty close to the wormable category as well. Either way, this should also be near the top of your test and patch priority list.

- CVE-2018-8140 – Cortana Elevation of Privilege VulnerabilityHey, Cortana – pop calc for me! Well, it might not be that simple, but it appears it’s not far off. This vulnerability is due to the Cortana service retrieving data from input services “without consideration for status.” While that description from Microsoft is a bit oblique, it seems someone close enough to speak to a Cortana-enabled system could execute programs with elevated privileges. Again, the attacker needs physical or console access to the system, so remote attacks not likely – provided you’re not talking on a speakerphone. Jokes aside, with the proliferation of personal assistants and similar services, bugs in these products will likely become more prevalent in the years to come.

- CVE-2018-8267 – Scripting Engine Memory Corruption VulnerabilityWe’re quite familiar with the one publicly-known CVE for this month as it came through the ZDI program. We reported the JScript vulnerability back in January. The specific bug exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed – a classic use-after-free. Fortunately, the code execution occurs at the logged-on user level. Let this be your monthly reminder to do daily activities as a non-privileged user.

Here’s the full list of CVEs released by Microsoft for June 2018. We’ve added a column showing the type of vulnerability being addressed. Let us know what you think.

Before we get to the other June patches, we should discuss Security Advisory 4338110. This is only the second numbered advisory Microsoft has released in 2018. The advisory covers an encryption flaw where a padding oracle could allow a security feature bypass in certain circumstances if padded Cipher-Block-Chaining (CBC) block ciphers are used without additional data integrity checks. Microsoft states none of their products or services are affected by this, but developers definitely need to review the advisory and update their code as needed. The folks from Redmond published guidance for developers to use during their code review. You can read it here.

As for the rest of the release, June sees fewer browser-related bugs than were released in the last few months. Interestingly, there are seven Device Guard security feature bypasses that end up impacting Windows PowerShell. In each case, a local attacker could inject their own code into a script that is trusted by the Code Integrity policy. When the script is later executed, the attacker’s code runs at the same level of the script, which bypasses any existing Code Integrity policy.

Then there’s CVE-2018-8213. When sysadmins talk about being frustrated by the patch process, this is the sort of thing they bring up. Although it’s labeled as a remote code execution bug, the description states an attacker would first have to log on to a system and then run a specially crafted application. That description usually goes with Important-severity bugs, but this one is listed as Critical. No other information about the bug is available. What’s doubly confusing is CVE-2018-8210, which also released today, has the exact same time and word-for-word description, yet is listed as Important severity instead of Critical. The lack of clarity is frustrating – especially for those too busy to try to track down additional details.

This month’s release sees the Windows Desktop Bridge receiving its first two security patches. For those not familiar with it, the Desktop Bridge is designed to take existing desktop apps to the Universal Windows Platform (UWP) and the Windows store. The bugs are relatively simple – the program fails to properly protect the virtual registry – however, the impact could be broad. Although not specifically stated, UWP applications built with Desktop Bridge may need an update, too. If you’ve built apps using the Desktop Bridge, definitely look at this update closely to determine the full impact to your app.

This release includes a smattering of Office bugs as well, with the most important ones affecting Outlook and Excel. While not as technically interesting as some of the previously mentioned bugs, Office vulnerabilities should never be overlooked as they are targeted so often – even wrapped into attacks of other products (see Flash above). The release is rounded out by a few kernel updates, fixes for Denial-of-Service (DoS) attacks, and other patches for Windows core components.

Finally, Microsoft released two standard advisories for June. The first adds defense-in-depth protections to Office that improve memory handling for apps that display Office Art. Microsoft also released their version of the aforementioned Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on July 10, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!